This question may be a bit too broad and open ended, however I'm hoping to get some good advice on this.

With the advent of BeEF and more and more of the computers in networks being infected just by going to websites, I wonder what effective methods there are to mitigate such risks besides keeping your browser up to date, using noscript, OS updates, etc.

3 Answers
3

Keep your system up to date, but that is obvious and wouldn't help you with the IE 0-day last month.

The majority of browser based exploits require JavaScript in some capacity. NoScript helps mitigate these attacks.

The Google Safe browsing API is used by Firefox and Chrome by default to prevent you from reaching a site that is known to be leveraging browser based attacks. However this does nothing for a targeted BeEF attack.

Some Anti-Viruses will plug into your browser and prevent an exploit from loading. This could prevent a targeted BeEF attack. But AV's aren't perfect and can be fooled.

Plan on failure, consider doing most of your day to day browsing inside a VM. Restore this VM to a virgin state on a regular basis (once a week, or once a month). Assume that you have been compromised and change your passwords regularly.

This is a great answer, and pretty much what I expected - there doesn't appear to be a fool proof way to mitigate these attacks or scenarios.
–
DKNUCKLESOct 18 '12 at 19:19

1

A sandboxing tool is a possible alternative to a VM, though it requires more user effort. Note that installing integration tools into your VM often opens up your host machine to infection, especially in the case of clipboard and drive sharing. Such holes tend to show up as virus-friendly network shares.
–
BrianOct 18 '12 at 20:18

IMO the two most secure browsers are Chrome, and Firefox with NoScript.

Chrome is a better default option because its secure sandbox applies to all sites, and doesn't get in your way. There are some reasons not to use Chrome, but it's not a direct threat to your privacy. If privacy against Google is a concern, you can still change the search engine, enable Do-Not-Track, and avoid using the "Sign in to Chrome" feature.

Firefox with NoScript (whitelisted or not) also probably has the best defense against reflected XSS, and against CSRF of devices on your home network including your router. Firefox with NoScript can be a good option if you prefer how some websites behave with javascript disabled anyway, and you can cope with the occasional horribly subtle breakage that requires you to remember you're using NoScript (and need to whitelist the site). Unfortunately more websites (like StackOverflow) are now using Javascript for essential functions. It's attractive to the paranoid... though it's starting to look outdated, and Firefox really needs to work on sandboxing. But there are other reasons people prefer Firefox to Chrome. If NoScript is working for you, then so long as you don't get complacent, you're not going to be less secure than the current average user.

Third place goes to the latest version of IE, which has some sandboxing. There are certainly other reasons to dislike it ;).

Safari on Windows I don't trust at all really. (Native Safari may benefit from some sandboxing nowadays though). Opera gets marked down for not having NoScript (at least, nothing as well-developed as the FF version).

Firefox with NoScript set to "allow scripts globally" still protects against a few attacks (including the local router CSRF), and gives you the option of switching to whitelist-only if there's an unpatched exploit going around. Firefox is decent at blocking known-vulnerable versions of Java. And you can still block Flash globally (or install a FlashBlock extension, or enable the new builtin click-to-play). If you're not willing or able to use the latest version of IE or Chrome, it's a pretty good alternative; it just can't make up for the lack of sandboxing.

Education. Teach your users how to recognise strange links and how to identify phishing emails. Help them understand that the company stays in business because outsiders can't access confidential documents.

Policy. Enforce good user behaviour by asserting certain practices and limitations in your company policy. Make every user read and sign a copy. Remember that this policy must not be full of jargon - the average person in your business has to be able to fully comprehend it. Include reasons for policies, too. There are other questions about policy writing on this site, so feel free to dig around.

Configuration. Alter the security settings on your browser to prevent JavaScript and plugins by default. You could use AdBlock and NoScript to help reduce your attack surface.

Protection. Use an anti-malware solution and a firewall on every machine. Pick an AV that's relatively lightweight - the detection rates don't vary much between the major vendors. If you're not keen on AV products, at least install Microsoft Security Essentials. Either way, keep the AV and firewall up to date.

Sandbox. Use a sandboxing tool such as Sandboxie to isolate individual processes when dealing with untrusted data. This is especially useful and convenient when dealing with things like PDFs, where you don't make any changes to the system.

Scanning. Upload untrusted executables and documents to an AV aggregation tool such as VirusTotal. This gives you a good early warning if the file is infected.